I recently was asked by some colleagues how an IT admin can get into infosec. It’s a tough question for 3 reasons: 1) Most administrators are not wired to be security professionals. The goal of admins is to provide services to users. The goal of infosec is to limit services to only authorized users. These goals often conflict. 2) Most admins specialize in a single technology; good security pros need to be fluent in a wide range of technologies. 3) Security requires a deep knowledge of computing and networking theory, which many admins lack. Modern operating systems provide a high level of abstraction from issues such as the proper format of TCP headers. I know some very skilled systems engineers who do not fully understand a 3-way handshake, nor do they need to. But for a security engineer, understanding this process, how to exploit it, and how to recognize when someone else is exploiting it is critical.
My best advice for those crazy enough to desire a career in infosec is always to start with the technology they already know, learn how it works at a low level and how to break it, and then learn how to protect it. After that, security is a non-stop learning process. The best security guys I know spend hours reading, surfing, and studying every night. Sleep is for the weak!
I compiled the list of books below as a representative sample of the books on my shelf that I reach for regularly. In my (never) humble opinion, every infosec professional should own (and read) each of these, or others in the same category. Originally, I intended this to be a Top 10 list, but I had too many books on my list. 20 is the shortest I could get it and still be representative.
Back in 2000, Microsoft released its 10 Immutable Laws of Security & 10 Immutable Laws of Security Administration. 6 Years later, these laws are still true. I recently started reading the excellent book Protect Your Windows Network: From Perimeter to Data by Jesper Johansson & Steve Riley, and they include these laws in their appendix. If you have not read this book, buy it immediately! It is a well written introduction to the theory of network security, and is probably the best guide I’ve seen for those who are new to infosec. Although the book comes from Microsoft, and the title includes Windows, the book covers a wide range of topics including social engineering, patch management, and security policy management that can be applied to any environment.
After reading this book, I decided to write my own updated list of 10 Immutable Laws of Information Security. These 10 rules represent years of experience, hundreds of projects, and countless mistakes:
U3 is a fun new technology for USB flash devices. U3 flash drives contain a partition that emulates a CD-ROM drive, where U3 enabled applications are installed. The CD emulation means that these devices will auto-play on most XP, 2000 and 2003 computers, when the drive is inserted. The talented folks over at hak5.org have created several projects, including Switchblade and its younger cousin Hacksaw, which exploit this technology for hacking/pen testing.
U3 reinforces the old security axiom, “if I can touch it, I own it.” Using auto-play with exploit code is nothing new. CDs can be used in this manner. What is new is the ability to run this on a writeable device. As the hak5 guys have proven, this is a deadly combo. Plug your USB drive in, wait for it to suck off password hashes or key files, install a back-door, and be gone. This works even if the screen is locked. One more reason why at some companies, the janitor is the richest guy in the place.
As pen testers, U3 is just one more tool to make our lives easier. As security managers, developing a defense in depth against U3 is difficult. Here are a few suggestions to make it easier. Most of these are just good general security practices, but U3 increases their importance:
I recently was challenged with the task of determining if any rogue access points existed on a large network, spanning multiple locations. The concern was that local staff would go down to CompUSA or Office Depot and buy APs to provide “convenience,” and IT would have no way of knowing. It was not practical to go visit each site, and we could not rely upon local staff, because they were the very people we were worried about.
We determined that the likely scenario would be that the staff plugged it in to the network and obtained an “external” IP address from our DHCP servers. The likelihood that they would have statically assigned an IP seemed slim since they would have no way to determine which IPs would fall outside the DHCP range. Also, we counted on laziness to rule the day, since it would work fine with DHCP.
I came up with the following batch script to run against our DHCP servers. It dumps all current DHCP lease holders, and then checks them for known AP MAC address prefixes.
The purpose of this paper is to detail the design of a production firewall for an e-commerce company. Companies with websites and other public facing services do not take into account correct security practices for their network. It is important to understand the security needs of protecting their web site and other Internet facing computer systems.
A firewall is the focal point in network and system security. This paper will look at proper firewall standards and best practices, modeled after Cisco SAFE and CERT, for using a firewall in an e-commerce network. Proper DMZ design and the physical placement of the firewall will be discussed. Also, firewall security policy rules, and how best to configure them. Besides normal firewall design, this paper will list other ways to secure the firewall itself, with proper logging and daily backups of the configuration, security audits, and disabling unneeded settings.
This paper will give network administrators a proper guide to securing a network and the firewall.
Adding RSS to your blog is a useful way to make it more dynamic. During the design of EdgeBlog, we tried out several different WordPress plugins . The best we found was InlineRSS from Iconophobia. It powers the RSS feeds in our sidebar. It much easier to use than either firstRSS/sideRSS or Aggregate.
If you are looking to add RSS to either the sidebar or the main body, InlineRSS is your answer.